Since a few days, I am getting an alert that in my c drive disk space is low. When I verified, free space in my c drive was decreasing hour by hour and there was a stage when it simply said that 0 mb free in C drive.
Initially, I thought my system got infected by some sort of virus and scanned my whole system with an anti-virus. Anti Virus was not able to find anything. So I tried WinDirStat tool to verify which directory or program is hogging the memory so that I can at least get a feel what exactly is happening in my machine. And to my surprise, I saw that Temp folder under C:>windows is eating 70-80% of the space. This directory has lot of log files, msi files etc.

When I've deleted a few files, I am able to get space in my C drive. Now I've a few questions on that:

1 - Any idea about any known malware, which creates files in C:/Windows/Temp just to eat the space and how I can cure my machine wrt that malware

2 - Are there any chances that any of my program/process is corrupt and creating log files in that folder and eating up the space unknowingly. If yes, any idea how to find 'That' corrupt program/process

would you consider exiting the title to something about detecting and removing malware?
–
Arthur UlfeldtSep 19 '12 at 22:00

2

The free Sysinternals tools are very powerful for troubleshooting Windows system and software. For instance Process Explorer might help you find out what programs are making those files. technet.microsoft.com/en-us/sysinternals. OTOH, if it is malware it may be difficult or impossible to eradicate but try more than one vendor/tool beofre you give up :)
–
adricSep 19 '12 at 23:12

'-1'?? seriously?? I thought people get points for changing the title :)
–
p_upadhyaySep 20 '12 at 16:33

1

This question would probably be a better fit for Super User.
–
Michael HamptonSep 20 '12 at 16:37

2 Answers
2

While in theory a malware infection could do this as part of it's payload, it's much more likely to be a buggy program that is writing too many log files. Malware tends to attack the disk by either deleting or encrypting existing files.

As a start, empty the temp folder and watch it to see exactly what files are being written. Note that lots of things are legitimately written to temp, so you'll be looking for similar named files being created rapidly in order.

If they're log files, examine the contents in a text editor. This should give a hint as to what is being logged.

If that doesn't give you a clue, the next step, as adric suggests, is to get a copy of the Sysinternals toolkit and use ProcessMon to see what process has these files open.